This type of worm hides itself as SCVHOST.EXE or SCVHOSTS.EXE so it will look like the legitimate Windows program SVCHOST.EXE. This type of virus usually spread through Yahoo Messenger. This virus is also known as W32/YahLover.Worm.gen and Win32/Autorun.R.worm. One way to avoid infection from this virus is to ignore any invites from unknown friends.
This virus/worm installs itself in autorun.inf and once double click it will spread itself unto your system. Furthermore, it copies itself through all the shared folders on your computers throughout the network and installs itself in the registry entries remotely.
Here are indication that your computer is infected with this virus.
- This virus/worm blocks the task manager.(way to fix your task manager)
- The worm changes the registry to prevent running task manager and editing registry for harder detection. (way to enable registry editor)
- It automatically restarts the computer when you try to go to the command prompt.
- It duplicates itself to different locations of the shared folders. The duplicated virus/worm uses a FOLDER icon with an .exe file extension. WARNING! DO NOT double click these folders.
- It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe
How to remove the virus
You can use NOD32 or any strong antovirus programs to remove this virus but if you don’t have a anti-virus or your antivirus can’t remove this virus try following the steps below to remove it manually.
- Boot your system in Safe Mode Command Prompt Only (How to start Windows in safe mode)
- After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
- Type CD C:\WINDOWS\SYSTEM32 (I assume that your Windows System files are located at Drive C)
- Type DIR /ah, this will display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
- Type ATTRIB -H -R -S SCVHOST.EXE
- Type ATTRIB -H -R -S BLASTCLNNN.EXE
- Type ATTRIB -H -R -S AUTORUN.INI
- Type DEL SCVHOST.EXE
- Type DEL BLASTCLNNNN.EXE
- Type DEL AUTORUN.INI
- Type CD\
- Type ATTRIB -H -R -S AUTORUN.INF
- Type DEL AUTORUN.INF
After following the steps on removing the virus/worm files, the virus should now be removed from the registry of your system.
- At the command prompt type REGEDIT and press ENTER key. This will run the Registry Editor
- From the registry, look for the keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
- Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , DON’T delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that remains from this registry entry.
After carefully following all the steps restart your computer on normal mode and the virus should now be gone.